From ffe829d5a54873985ea97d919585dbc9a0d564b0 Mon Sep 17 00:00:00 2001
From: Brian Neradt <brian.neradt@verizonmedia.com>
Date: Wed, 6 Jul 2022 17:52:06 -0500
Subject: [PATCH] Make jsonrcp restricted_api false by default.

Making restricted_api false by default will cause ATS to enforce socket
permissions rather than relying upon the DAC of the socket. With this
change, ATS will restrict access to privileged users for write
operations while allowing broader access for read-only options. Thus
`traffic_ctl config get` will be generally accessible since it is a
read-only operation, while `traffic_ctl config set` will require
privilege since it modifies the configuration. This default should be
reasonable since that is how 9.0 used to behave.
---
 configs/jsonrpc.yaml.default              | 2 +-
 doc/admin-guide/files/jsonrpc.yaml.en.rst | 2 +-
 mgmt/rpc/server/IPCSocketServer.h         | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/configs/jsonrpc.yaml.default b/configs/jsonrpc.yaml.default
index 82665a22544..f6436564e76 100644
--- a/configs/jsonrpc.yaml.default
+++ b/configs/jsonrpc.yaml.default
@@ -11,4 +11,4 @@
 # rpc:
 #   enabled: true
 #   unix:
-#      restricted_api: true
+#      restricted_api: false
diff --git a/doc/admin-guide/files/jsonrpc.yaml.en.rst b/doc/admin-guide/files/jsonrpc.yaml.en.rst
index 86fb8f36839..26aff3942f2 100644
--- a/doc/admin-guide/files/jsonrpc.yaml.en.rst
+++ b/doc/admin-guide/files/jsonrpc.yaml.en.rst
@@ -76,7 +76,7 @@ File `jsonrpc.yaml` is a YAML format. The default configuration looks like:
    rpc:
      enabled: true
      unix:
-       restricted_api: true
+       restricted_api: false
 
 
 ===================== ==========================================================
diff --git a/mgmt/rpc/server/IPCSocketServer.h b/mgmt/rpc/server/IPCSocketServer.h
index 3a76bf42410..886646a01b8 100644
--- a/mgmt/rpc/server/IPCSocketServer.h
+++ b/mgmt/rpc/server/IPCSocketServer.h
@@ -119,7 +119,7 @@ class IPCSocketServer : public BaseCommInterface
     int backlog{5};
     int maxRetriesOnTransientErrors{64};
     bool restrictedAccessApi{
-      true}; // This config value will drive the permissions of the jsonrpc socket(either 0700(default) or 0777).
+      NON_RESTRICTED_API}; // This config value will drive the permissions of the jsonrpc socket(either 0700(default) or 0777).
   };
 
   friend struct YAML::convert<rpc::comm::IPCSocketServer::Config>;